| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <eg6bk4$7r1$1@taverner.cs.berkeley.edu> Date: Fri, 6 Oct 2006 19:43:00 +0000 (UTC) From: daw@...berkeley.edu (David Wagner) To: linux-kernel@...r.kernel.org Subject: Re: Really good idea to allow mmap(0, FIXED)? Arjan van de Ven wrote: >> Let me see if I understand. If the kernel does this somewhere: >> >> struct s *foo; >> foo->x->y = 0; >> >> and if there is some way that userland code can cause this to be >> executed with 'foo' set to a NULL pointer, then user-land code can >> do this: >> >> mmap(0, 4096, PROT_READ|PROT_EXEC|PROT_WRITE, >> MAP_FIXED|MAP_PRIVATE|MAP_ANONYMOUS, 0, 0); >> struct s *bar = 0; > >the question isn't if it's a good idea to allow mmap(0) but to allow >mmap PROT_WRITE | PROT_EXEC ! Oops. Please ignore the PROT_EXEC. That is completely irrelevant. I'm sorry I included it; the inclusion of PROT_EXEC was a mistake. Delete PROT_EXEC, then re-read my email -- everything else in there is still valid. The security exploit I explained didn't involve executing anything from the mmap'ed page; the kernel reads an address from this page, and then dereferences it. Even without PROT_EXEC, it sounds like a user-triggerable NULL pointer dereference in the kernel can create a local root exploit (at least in some cases). - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists